so the more i think about this, the more I think that the tailscale module is just a bad abstraction.
In addition to all the stuff discussed above about the ACL document actually being a bunch of resources compiled together, managing machine properties is really annoying.
So, you can't create a machine in Tailscale. You create an auth key, hand it to the machine, and the machine creates itself. Which means that to manage machine properties (eg tags or key expiry), you have two different regimes:
• If the machine doesn't exist yet, you attach them to the auth key when you (re)create it
• If the machine does exist, you modify its properties
The current module manages Machines and Authkeys as distinct resources, which means that coordinating tailscale resources with VM creation is.... annoying, ugly, and probably causes some weirdness in the stack state.
I would much rather condense them into one resource that does the appropriate switching behind the scenes.